https://apgarandassoc.com
Privacy, information security, HIPAA, HITECH and regulatory complianceTue, 19 Feb 2019 14:12:45 +0000en-UShourly1https://wordpress.org/?v=5.0.3https://apgarandassoc.com/wp-content/uploads/2018/01/cropped-Apgar-Associates-Icon-32x32.pnghttps://apgarandassoc.com
3232How can your Third Party Vendor help or hurt your SOC 2 status?https://apgarandassoc.com/how-can-your-third-party-vendor-help-or-hurt-your-soc-2-status/
Tue, 19 Feb 2019 14:12:45 +0000https://apgarandassoc.com/?p=2280Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the […]

]]>Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the underlying theme is organizational risk management where vendor risk management figures prominently.

The updated criteria delves into the many joys of maintaining and assuring “commitment” and “competency.” Under the evolving TSPs (yes, still called TSPs), “system and organization controls” expand to include cybersecurity risks, such as those that come with third party vendors.

In fact, nearly every mention of risk profile components includes vendors. Their reliability, the need to assess external threats, the ongoing relationship. So how do you begin to manage the risk they bring to your organization?

Vet them at the outset as part of due diligence prior to contract. Well, of course, you say. Wait for it: vet again, and again, at timely intervals.

All too often, we see the opposite. When going through a proposal process, organizations may be all over the potential vendor partner with a microscope. Once the contract is complete, crickets. As long as the service is fairly smooth, vendor privacy and security audits are rare, if they happen at all.

However, an organization that’s considering any certification (HITRUST, ISO) or a successful SOC report won’t have that option. And increasingly, to be competitive, you need to make the extra effort to demonstrate your data privacy and information security competency. So what’s the plan?

Tips for Third Party Vendor Risk Management

Vet vendors early and often. Because it bears repeating, make due diligence a repetitive activity. Regular re-assessment of your vendor’s privacy and security practices could be the action that saves your organization from an embarrassing and costly breach.

Make them prove that they train their workforce on issues you think are important. Isn’t your third party partner part of your operations? Don’t they affect your ability to conduct business successfully? Think about how you can identify your most important training issues and push them to include them in their training. That speaks to assuring competency, by the way. A TSP.

Mitigate risks immediately. You’ll inevitably identify privacy and security risks during everyday business oversight. When they’re to do with a vendor, take action immediately. The more quickly you address any vulnerability, the less likely it can grow from a manageable security incident to a major security breach.

For those of you who are happy SOC 2 Report achievers, keep up to par on those TSPs. Remember, the AICPA is only one organization honing in on vendor risk management. Whether you’re going for a certification or simply trying to stay on top of regulatory requirements, the risk is real.

Are you considering a certification or readying for an assessment? Chris Apgar and Julia Huddleston have helped numerous clients prep for a successful assessment to achieve certification or a SOC 2 report. Call Apgar and Associates today to learn more: 503-384-2538.

]]>How to Harden Laptops, Tablets & Smartphones to Protect PHIhttps://apgarandassoc.com/how-to-harden-laptops-tablets-smartphones-to-protect-phi/
Wed, 06 Feb 2019 14:35:06 +0000https://apgarandassoc.com/?p=2264When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the […]

]]>When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the courts are likely to see it as a security failing in the case of data breaches. Now you’re looking at an expensive law suit!

An abbreviated overview of the HIPAA Security Rule’s general requirements calls for covered entities and business associates to do the following:

Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of this part.

Can you demonstrate device encryption?

CEs and BAs, keep in mind, too, that you can’t take advantage of the HIPAA Breach Notification Rule safe harbor if you can’t demonstrate that stolen devices were actually encrypted at the time. If the device isn’t locked down, it’s hard to prove that the device was secure and no PHI or PII accessed when the device is lost or stolen. While Apple tablets and smartphones are natively encrypted, either end users or IT staff need to enable or turn on encryption for Android tablets and smart phones, Windows laptops, tablets and smartphones and Macs. Take the below steps to protect laptops, tablets and smartphones – and to protect PHI.

7 Steps to Laptop Data Security & Intrusion Protection

Remove administrator privileges for all company-owned laptops and lock down devices

Device hardening is considered a reasonable security safeguard which means it’s a “must do” when it comes to HIPAA compliance and state law compliance in some states. Take the necessary steps to protect PHI and avoid the bad headlines, regulatory penalties, law suits and lost business. If you need to beef up compliance planning, conduct your security risk analysis, or just aren’t sure where to start with any of it, give us a call: 503-384-2538.

]]>5 Ways You Can Reduce Phishing Riskhttps://apgarandassoc.com/5-ways-you-can-reduce-phishing-risk/
Tue, 22 Jan 2019 15:22:42 +0000https://apgarandassoc.com/?p=2244Malware attacks via phishing knocked it out of the park in 2018. Phishing attacks account for an inordinate number of the data breaches and compromised networks. In fact, the Identity Theft Resource Center (ITRC) reported that “one-third of all security incidents last year began with a phishing email.” As the cyberattacks get sneakier, everyone – […]

]]>Malware attacks via phishing knocked it out of the park in 2018. Phishing attacks account for an inordinate number of the data breaches and compromised networks. In fact, the Identity Theft Resource Center (ITRC) reported that “one-third of all security incidents last year began with a phishing email.” As the cyberattacks get sneakier, everyone – workforce and consumers – are at ever-higher risk of breaching data privacy and security.

From fake offers of free World Cup tickets to false GDPR privacy policy notices, 2018’s worst phishing scams cut no corners on creativity. Organizations large and small have implemented penetration testing, aka pen testing, to see how well their technology and their workforce withstand malware attacks. If we’ve learned one thing, it’s that size doesn’t matter to cyberattackers.

5 Pointers to Avoid Getting Hooked

Conduct penetration testing, aka pen testing. Pen testers employ the same tactics as hackers, but to your benefit. You’ll discover how effective your firewalls and patches are as well as how well your workforce “gets” anti-phishing training.

Conduct phishing-specific training. Human error continues to be a big gap in privacy and security effectiveness. One click or tap on a link or attachment opens the gate to phishing malware. Scenario-specific, interactive, out-of-the-box training sessions make the biggest difference.

Stay on top of the latest phishing and smishing (mobile device phishing via text) techniques so you can take measures to prevent systems infiltration as well as keep your workforce alerted.

Encourage transparency internally and externally. Whether it’s an employee who opened the backdoor or a third party partner, you need to know when security has been breached. Promote admitting, “I may have messed up” and what to do the second it happens (aka per security incident response).

Keep anti-virus, anti-spam and anti-spyware software current. Hackers are smart cookies but if you’re not on top of essential technology safeguards, they don’t even have to try.

If we were going to choose one tech tip and one human error prevention tip to focus on in Q1, we’d select pen testing and anti-phishing training. One pen testing researcher is so intent on lighting a fire against phishing that he published his scarily successful pen test.

And should all prevention measures fail, you’ll need backup. Which brings us to: Keep recent backup system copies readily accessible. If phishing does get through, you’ll want to be able to quickly go back to a “safe” backup so you can get operations back up and running. With response measures in place, the sooner you know, the faster you can act.

]]>Data Privacy & Security: 2018 Reflections & the Year Aheadhttps://apgarandassoc.com/data-privacy-security-2018-reflections-the-year-ahead/
Tue, 18 Dec 2018 15:25:40 +0000https://apgarandassoc.com/?p=2209It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019. We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations […]

]]>It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019.

We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations reported breaches affecting fewer than 1000 individuals, reminding everyone that not all breaches make headlines. Some of them are small organizations in your own backyard.

Buyer Beware re CCPA Cool Tools

The California Consumer Protection Act (CCPA) has reaped much hoopla. And the sales push on the trade show floors shows it. At conferences nationwide, we’ve seen “solutions” for CCPA compliance. Yet the Act isn’t yet in its final codified form.

Our recommendation on CCPA: don’t put the cart before the horse. Spend the time between now and the CCPA’s 2020 date getting your data privacy and security house in order. Go back to basics and pay attention to how the law evolves before spending money – and implementation time – on a “cool tool” that ultimately, may not be what you need.

Not All Certifications are Created Equal

On that note of cool things, are you looking at how your vendors are certified? People will peddle that they’re certified in this or that, like saying “We’re ISO certified.” That’s great. But we can’t stress enough that not all ISO certifications mean the same thing. The ISO 27001 certification is the one that relates to information technology security standards. So if you have a potential vendor touting their certifications, do a quick online search to be sure that it’s the one(s) that matters to your business. Oh, and make sure the certifications are still active. Just because a vendor was certified once doesn’t mean they are still certified.

In fact, just because you’re in the healthcare business doesn’t mean you necessarily need to rush out and buy a regulatory-specific solution or need the certification that your competitor is getting. Examine what type of business you do, where you do it and who your customer is before making a financial and time commitment that may not be needed, or that may not be needed right now.

When it comes to you and your business, be strategic. And keep in mind that not all business strategies call for the same certification. We can help you figure out which certification makes the most sense for your organization (HITRUST, SOC 2 and ISO 27001 are the most commonly pursued).

Now that you have all the information that matters (ho, ho, ho!), kick back and let’s toast 2018 out and 2019 in! We wish you and yours a happy, healthy holiday season and a prosperous new year. Thanks for making 2018 such a great year and for trusting us to help you with your data privacy, security, compliance and certification preparations!

]]>Word of Warning: join.me Does Not Sign Business Associate Agreementshttps://apgarandassoc.com/word-of-warning-join-me-does-not-sign-business-associate-agreements/
Wed, 12 Dec 2018 14:51:04 +0000https://apgarandassoc.com/?p=2199A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the […]

]]>A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the join.me platform. Therefore – as you’ll see in the exchange below – they “do not sign BAAs.”

So, a warning to those who use join.me and store recordings that include PHI on the join.me platform – join.me is unwilling to execute a business associate agreement with covered entities and business associates. If you need a video communications platform that supports the storage of PHI and is HIPAA compliant, it’s wise to look elsewhere.

Below is a reprint from a warning I posted on LinkedIn just the other day. Please feel free to share your experiences of similar situations and vendors with me in the comments area on that post. Here’s my email exchange with join.me.

Original Question/Comment

I’m attempting to get an answer one last time. I represent a mutual customer who currently uses join.me who is required to comply with HIPAA. Given the fact that protected health information (PHI) may be stored on join.me‘s platform in the form of recordings, join.me is required to sign a business associate agreement with my client. If join.me is unable or unwilling to sign a business associate agreement, I need to recommend that my client change to another conferencing platform such as Zoom or WebEx who will sign a business associate agreement.

On Dec 2, 2018, at 6:42 PM, join.me Support wrote:

Hello Chris,

Thank you for contacting join.me.

We actually do not sign BAAs because our services are not HIPAA compliant as HIPAA compliance, per se, is applicable only to entities covered by HIPAA regulations (e.g., healthcare organizations).

That being said the technical security controls employed in the join.me service and associated host and client software can meet or exceed HIPAA technical standards. But again, we are unable to sign any BAA’s.

If we have answered your question, we will send you an email in the next few days asking for your feedback. We value your opinion and thank you in advance for taking the time to click on the survey link and letting us know how your experience was with our team.

Thanks again for using join.me.

L*** | Customer Support Representative
LogMeIn, Inc.

My reply to join.me

You (join.me) answered my question. My client will be looking for another vendor. While the functionality may be there to secure the data, my client would be violating HIPAA by continuing to use the join.me platform. As the US Department of Health and Human Services, Office for Civil Rights has stated, claiming to not be a business associate doesn’t mean you actually aren’t one. I also feel a need to remind covered entities and business associates they shouldn’t be contracting with join.me if the platform will be used to store recordings that contain PHI.

My Recommendation

Ultimately, I had to recommend to the client that they not use join.me but check into online video and document storage with vendors who will sign BAAs, such as Zoom or Webex. The instance serves as a reminder that no matter how technically secure a vendor professes to be, if you plan to use their platform or services for anything pertaining to PHI, there needs to be a BAA in place, documenting that they follow HIPAA regulatory requirements as relates to PHI protection. And as I indicated to the customer support representative above, claiming that you’re not a business associate doesn’t magically transform you into not being one!

Chris is a frequent LinkedIn Pulse contributor. You can connect with him here, and you can follow Apgar and Associates on LinkedIn here.

]]>Policy Controls: Why The Whole World Wants You to Write Policieshttps://apgarandassoc.com/policy-controls-why-the-whole-world-wants-you-to-write-policies/
Tue, 13 Nov 2018 20:37:13 +0000https://apgarandassoc.com/?p=2126As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, […]

]]>As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, and rigorous, and there wasn’t an infomercial to be found!

Policy controls and their importance is the hot topic for anyone doing business – healthcare, financial or retail – on either side of the ocean. Keep in mind that policy controls are the basis on which anyone assessing the company’s system is building. Also remember that GDPR uses the term “privacy” interchangeably for what we in the US differentiate into privacy and security. So when they say “policy controls” they’re saying privacy policies (e.g., controls) and those very likely pertain to privacy and security.

Note: This information will be explored in greater detail in our upcoming GDPR Guide for Business Associates. Keep an eye on our website and sign up for our newsletter to receive an alert. The guide should be available by early December.

Related to the topic of policy controls in all of its attendant meanings, I attended several GDPR-focused workshop sessions.

One of the speakers at a session I attended focused on policy writing – European style and United States style. The German IT attorney who spoke about European style policy writing made the following statements (and yes, I’m paraphrasing):

Data Protection Authorities (DPAs) are likely to read policies

DPAs are likely to take policies at their word. If an organization is not following its own policies, the DPAs are likely to view that as a breach.

From a United States perspective, substitute OCR/regulators/auditors for DPAs, and the same advice holds true. For instance, consider the following instances of policies and procedural controls related to HIPAA, ISO 27001 and SOC 2.

The HIPAA Security Rule is not prescriptive. Covered entities and business associates must implement controls that are:

reasonable for the organization’s size,

the complexity of what it does, and

the sensitivity of the information with which it deals.

ISO 27001 is not prescriptive. ISO says that you build an Information Management Security System to ensure information privacy. Organizations develop their Information Security Management Systems based on:

risk assessment,

risk treatment plans, and

the Statement of Applicability.

SOC 2 is not prescriptive. Organizations design their own controls to meet the SOC 2 principles that are relevant to the business.

Privacy & Policy Controls Success Tip: Walk the Talk

With all that said, once an organization designs a policy control, it needs to live up to what it says it will do. Auditors are “show me” people. Say one of the controls you assert is in place for your information system includes a well-defined off-boarding system. You say that every step is tracked by a ticketing system, and that management reviews occur at regular intervals to make sure the system is being followed.

You can bet that the auditors will ask to see the written documentation that defines the system, a sample of the tracking tickets, and dated evidence of management review. There may be a call for an organizational chart that depicts that management really is management, too.

You get to design and implement the policy controls that your organization will follow. Follow regulation, and good practice, yes, but also make sure that your business can and will live by the standards that you’ve committed to – whether you’re in Portland, Oregon or Prague, Czech Republic!

For help with the intricacies of certification readiness, including policy controls, contact Julia Huddleston, a Certified Information Privacy Manager and a Certified Information Privacy Professional.

*More information about the 2018 Privacy & Security Forum can be found here.

]]>Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rulehttps://apgarandassoc.com/privacy-security-forum-update-ocr-activity-audit-protocols-ransomware-the-hipaa-security-rule/
Mon, 29 Oct 2018 17:57:04 +0000https://apgarandassoc.com/?p=2117Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago. One of the sessions I attended was focused on what’s happening at OCR these days. The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP. I […]

]]>Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago. One of the sessions I attended was focused on what’s happening at OCR these days. The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP. I heard about new OCR activity, got an answer to my question about the future use of the OCR audit protocols, and key OCR takeaways. I have the pleasure of passing the Forum’s highlights on to you.

OCR audit protocols use.

The big news to me was the answer to one of my questions about OCR audit protocols. For over a year, we’ve been saying that for investigations and enforcement activity that it’s likely the OCR will use the audit protocols that were updated from the phase 2 audits. I took the opportunity to ask the top authority at OCR about future use of the protocols. Mr. Severino confirmed – that’s just what OCR intends to do and may already be doing so.

Other OCR activity includes:

Updating HIPAA/FERPA guidance (jointly with the US Department of Education)

Issuing a notice of proposed rule making (NPRM) request for information (RFI) HITECH Act accounting of disclosures language (the last NPRM was not well received by the industry and privacy advocates)

Evaluating ways OCR can distribute funds received as part of enforcement related civil monetary penalties and settlement agreements to victims of breaches of their PHI

That’s a fair amount of activity. The only caveat is we don’t know how soon “soon” is.

FBI and FTC weighs in on ransomware attacks.

I also attended a session that featured speakers from the FBI and the FTC. Along with Mr. Severino the FBI said the first step covered entities and business associates should take is to contact the FBI if you’re attacked by ransomware. The FBI has agents in place to investigate ransomware and help covered entities and business associates get their data back without paying a ransom. This is something to keep in mind when you’re updating your security incident response plans especially given local law enforcement may not have the resources to assist with an investigation.

Is the HIPAA Security Rule being updated?

There has been much talk over the past few years about the need to update the HIPAA Security Rule. The Director indicated that he things there is nothing fundamentally broken with security rule so it’s unlikely the rule will be amended any time soon. The Security Rule is technology neutral and is flexible. It hasn’t become obsolete due to changes in technology and there has been a lot of change since the rule was published in 2005.

OCR phase 2 audit results and plans for enforcement.

Mr. Severino shared that OCR was finalizing phase 2 audits and results will be published soon. As far as the audit program goes, he indicated that there would likely be no more formal audits. Instead, the audits would become part of OCR’s enforcement activity. He believes this promotes an enforcement mindset with a higher-level rigor, similar to enforcement activity conducted by the US Department of Justice.

An audience member asked if enforcement would continue unabated or would be curtailed under this administration. The answer: OCR is still on track with enforcement. Mr. Severino would like to see enforcement go down as a reflection of the expansion of a culture of compliance, which OCR has been pushing since 2011. He did add that the industry was far from there today.

Adam Greene asked Mr. Severino to provide three takeaways for the audience. The Director said:

You need to treat PHI as if it was a bar of gold. That includes conducting periodic risk analyses, encrypting PHI and securing mobile devices.

“We’re from the governments and we’re here to help” – tap into OCR resources through its website, the most popular website for the US Department of Health & Human Services.

“Help us help you” – review NPRMs, RFIs, and other information OCR would like input from the industry about and provide feedback. Periodically check regulations.gov to check on opportunities to provide OCR feedback.

All in all it was a great conference and good to get information from the proverbial horse’s mouth. Julia will be sharing information about some of the sessions she attended. Look for more in the weeks to come!

]]>Communication Disconnect: Sales Promises & the Information Security Audithttps://apgarandassoc.com/communication-disconnect-sales-promises-information-security-audit/
Fri, 12 Oct 2018 22:06:35 +0000https://apgarandassoc.com/?p=2101Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing. This communication […]

]]>Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing.

This communication – and timing – disconnect between sales and operations can cost companies both prospects and current customers. Information security is traditionally implemented and maintained behind the scenes. In today’s market, particularly for healthcare vendors, good market positioning means that information security has to be front and center.

As an example, the demand for a SOC 2 audit report is on the rise. Healthcare vendors and other service organizations are being asked for it as proof of a sound information security program. We work with clients as they prepare for and proceed through SSAE 16 SOC 2 audits. In cases where vendors engage a CPA firm conduct a SOC 2 audit, we find that the decision to go through an information security audit comes from two places: the C-suite and sales. The C-suite sees the audit as a way to retain current customers and to maintain marketability. The sales team looks at it as another strong sales point.

What happens when the sales team over-promises?

If the sales team sells a product or service based on the assumption an information security audit can be done without checking in with its IS department, they may find themselves in a huge bind. It’s even more problematic if the company executed a customer contract along with the promise to conduct a SOC 2 audit. Imagine how that will come back to bite the company when the customer demands a copy of the nonexistent report!

In one instance, a company we’ve worked with in the past lost out on a multi-million dollar deal based on an over-promise. Sales promised they would complete a SOC 2 audit, that they then delayed for a couple of years. The prospective client walked away from the table. Remember, the proverbial grapevine works well, healthcare industry or otherwise. If you’re doing a great job, people will hear about it. If you fall on your face, they’ll hear about it faster.

Sales teams like to run full steam ahead, promising results, valuable products and enhanced service. That’s a good thing. That’s how companies stay in business and continue to grow. Often, though, IT / IS is left trying to figure out how to keep the promises made.

Vendors for healthcare and other service organizations are under mounting pressure to prove customer data is safe and secure. Information security is a market driver. If sales and the information security team aren’t on the same page, the outcomes could be disastrous for business. So communicate amongst yourselves! Sales, IT and the information security team. Actively involve the C-suite. Then you can be assured the company is steered in the right direction, with the right resources. When promises measure up to delivery, everyone is happy.

]]>You’re a US company & subject to the GDPR. Now what?https://apgarandassoc.com/youre-a-us-company-subject-to-the-gdpr-now-what/
Thu, 27 Sep 2018 21:40:47 +0000https://apgarandassoc.com/?p=2085What happens now that US Organizations who thought they were off the GDPR hook, are so on it. The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, […]

]]>What happens now that US Organizations who thought they were off the GDPR hook, are so on it.

The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, at-a-glance, high level assessment won’t hold up. Blame the GDPR’s broad definition of personal data. And realize that Europeans are far more guarded of their personal data privacy than the US, at a very granular level. Beyond health or financial information, or minor’s personal information, the GDPR goes far deeper.

Examples of GDPR-defined personal data

Work email address

Political party

Religious beliefs

Racial or ethnic information

GDPR defines “personal data” as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

There are also two important functional roles defined under the GDPR: the Data Controller and the Data Processor. A data processor is defined as someone who processes data on behalf of the data controller. That may be a company providing a 3rd party software or platform that stores data. The data controller is the entity that collects the data, such as a health plan collecting member data or a bank collecting customer data.

So how does a US organization, particularly one typically highly adherent to strict compliance standards deal with the GDPR? A company that has attained certification through HITRUST or SOC2 likely feels fairly confident of being able to meet the GDPR’s requirements. Unfortunately, one does not equal the other.

6 Actions You Can Take to Support GDPR Compliance

Be sure that your Security Risk Analysis encompasses all “personal data” as defined under the GDPR, not just PHI and PII. Remember location data counts, too! If you’re a data controller, you’ll also need to look at impact assessments that relate to GDPR-defined personal data.

Check that your 3rd party data processor is approved by the data controller. PHI that falls into the GDPR personal data category can only be used and disclosed on instruction from the data controller. That means that what typically would be ok use by a Business Associate under HIPAA isn’t if the data is defined as “personal data” under GDPR.

Appoint your EU-based representative and designate a Data Protection Officer. This is a major point of compliance with the GDPR. The DPO’s contact info must be publicly published as well as formally shared with the EU’s Privacy Commissioners.

Be sure you’re authorized to engage in data flow transfers that relate to the individuals, or “natural persons” under the GDPR regs. Validate under your operations management contract that the data transfer is necessary and authorized.

Modify your security incident response plan to include the GDPR breach notification guidelines. Under the GDPR, data controllers only have 72 hours from the breach discovery to notify the EU Data Protection Authorities. Be sure to test your ability to comply with the requirement.

Prominently display your privacy practices and the privacy rights of individuals to conform with the GDPR. Individual privacy rights include access to data collected, ability to correct that data, how they can restrict the processing of the data, even to require that you erase the personal data.

Under the GDPR, US companies who discover from their data analysis that they deal with personal data of any kind from people who live in the EU (even non-EU citizens), must comply with its requirements. The cost of non-compliance is huge – up to 20,000,000 EUR. For US healthcare organizations who still struggle to meet HIPAA requirements over two decades after its enactment, the GDPR may well mean that they simply choose not to do business with EU residents.

Are you contemplating how to comply with the GDPR? Contact Apgar & Associates for a data inventory and risk assessment: 503-384-2538.

]]>Privacy and Security Training: Less hype, less myth, more HIPAA realities.https://apgarandassoc.com/privacy-and-security-training-less-hype-less-myth-more-hipaa-realities/
Fri, 24 Aug 2018 20:51:01 +0000http://apgarandassoc.com/?p=2053I’m often taken aback by some of the marketing material I receive from privacy and security training vendors. This is clearly a “buyer beware” moment. The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in […]

]]>I’m often taken aback by some of the marketing material I receive from privacy and security training vendors. This is clearly a “buyer beware” moment. The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in any privacy and security training session you’re looking to enroll in. The training risk comes when someone doesn’t have a good grasp of the material, because they may well be being fed outdated information or worse, partial truths about HIPAA.

I may be a little sensitive because of the type of privacy and security training that we and some of our partners provide. Timely, current event-relevant, regulation-sensitive training. But in this instance, we received a vendor mailing focused on email integration and texting in the healthcare communications environment. Sounds entirely reasonable, right? Unfortunately, the marketing copy reflected outdated or even misleading information.

Marketing hype or regulatory reality?

The vendor’s privacy and security training marketing materials included these topics and observations, presented as facts:

Email and texting are in the early adoption stages in healthcare settings. Texting is becoming the preferred engagement, overtaking paging.

Mobile phone use for texts or calls relating to payment, to provide critical healthcare information or other official purposes is a no-no for providers and violates HIPAA.

Risk evaluation and management related to business communication that may or may not contain PHI is under scrutiny. Improper exposure may be considered an official breach.

Violation enforcement can include fines up to $50,000 per day and more.

Impacts of the Telephone Consumer Protection Act (TCPA) limit the use of cell phones for payment and healthcare purposes unless consent is obtained.

Let’s take it from the top. First of all, texts and emails are common in today’s healthcare environment. While the topic is worth addressing as part of ongoing training (and hopefully touches on serious email threats like phishing), it’s not a new issue.

Secondly, clarification is in order when it comes to texts. HIPAA doesn’t require covered entities to obtain consent before, say, sending an appointment reminder via text message. I do, however, think it’s a courtesy that should be extended because not everyone is comfortable with anything to do with their health being texted to them.

Now to take it a step further, if the email or the text message is encrypted, there are really no HIPAA consent requirements. If the individual requests texts and emails be sent unencrypted, covered entities do need to document that the individual making the request has been informed of the dangers associated with unencrypted transmission of PHI. That’s not the same as obtaining consent.

When it comes to risk evaluation and risk management, yes those are hot items. And while I do wonder what an “unofficial” breach is, I agree the improper exposure of PHI may result in a reportable breach. Please keep in mind that if the exposure is unintentional, like a misdirected email, it may or may not be a reportable breach. That’s where the HIPAA Breach Notification Rule’s four factor risk assessment comes into play.

Here’s where I seriously part ways with the material: the violation enforcement information and the penalties.

If you’re doing the right thing, discover a breach, follow the required investigation and notification process and you timely report the breach to OCR, you likely won’t be fined by OCR. Now, if there is a breach and OCR finds you haven’t conducted a risk analysis, haven’t adopted current and enforceable policies, haven’t trained your staff and so on, then yes, chances are higher that you’ll be paying in the form of a penalty or monetary settlement.

As far as the $50,000 per day, OCR can levy penalties up to $50,000 for a single violation up to a maximum of $1.5 million per calendar year. There’s no reference in any OCR guidance that violations are counted in days. They could in fact be counted as the number of records breached. If, as an example, 1,000 patients’ PHI was breached, OCR could count that as $50,000 X 1,000 (if you’re found guilty of willful neglect). Because the penalty amount calculated this way would exceed $1.5 million, the maximum penalty amount would be levied unless a lower amount was negotiated between OCR and the breaching entity.

Finally, the TCPA. I need to point out that the TCPA was enacted in 1991 – pre-HIPAA – and addressed robocalls. It had nothing specifically to do with text messages and healthcare.

The bottom line on healthcare privacy and security training.

Emails and texting to communicate healthcare information has been going on for years. Keep in mind that yes guidance from OCR (“Right to Access”) emphasizes the need for covered entities to communicate effectively with patients there is no reference to text messaging or emailing other than to state that patients can request communications be made using unencrypted email as long as the risks associated with it are clearly communicated. There is zero reference to text messaging in the guidance or in HIPAA itself.

I wholeheartedly agree that you need to regularly conduct privacy and information security training with your workforce. I also agree that you need up-to-date privacy and security training documentation.

I’m concerned that there are entities not up on the risks and how those risks are associated with patient communication. The first edict from HHS that applies to the use of email to communicate with patients dates back to January 2013 (the Omnibus Rule) and February 2014 (the HIPAA CLIA Rule) respectively.

Training vendors need to be vetted. If you or your staff are going to take your valuable time to attend any vendor-offered training, you need to know that it has more real-world application to privacy and security risks, engages employees on how they can protect ePHI, and accurately reflects regulatory requirements. More HIPAA realities, less marketing myth.